Reports started circulating yesterday that Gmail had been hacked, with some 5 million logins at risk. This follows the publication, on Tuesday, of a plain text list of Gmail usernames and passwords on a Russian Bitcoin forum. Within 24 hours the 'hack hysteria' had taken hold and people were being advised to check if their accounts had been compromised, change their passwords etc. Trouble is, there appears to be absolutely no actual evidence that Gmail has been hacked at all, and plenty to suggest that this credentials list is just another composite; constructed with passwords taken from lists already published concerning other breaches. The Gmail connection is, at the most, that people whose credentials were exposed at those other sites and services had used a Gmail address to register their accounts.
Having spoken to a number of people who, at first glance, would appear to have fallen victim of the Gmail hack that wasn't, it seems that there are lots of very old passwords in play on that list. What's more, there are lots which were never actually associated with a Gmail account at all. Just to be clear, what I'm saying here is that the list itself seems to consist largely of instances where someone has registered with a service with a username of firstname.lastname@example.org and a password of yyyzzz and the inference is that yyyzzz is the Gmail account password. This is simply not the case in many instances that I've been made aware of, enough for me to conclude that it's nothing to be overly concerned about.
Sure, if you one of those folk who reuse passwords across sites and services, and your Gmail account password is not unique, then you should be concerned. But then you should have been concerned long before this list appeared, not least as what I've seen so far would lead me to believe that much of the data listed comes from old data breaches and phishing attacks.
So why bother publishing this list? Good question, and as it's not being sold (5 million live Gmail logins would certainly carry a substantial dark market value) the probable answer is for kudos.
My advice would be to ignore the media arm waving which will quickly die down as the media realises it has been running around with a non-story. However, do not ignore the warning that the non-story brings with it: if this had been for real you could have been in big trouble. Don't reuse passwords (use something like the LastPass security audit to check for such usage) and change your Gmail password now anyway, it's not a bad idea to do this every now and then. While you are at it, think about implementing two-factor authentication as well; not just for Gmail but for every service you use that offers it. This makes it much harder for anyone to actually use login data should the service get breached.
If you are concerned that your Gmail address may be on the published list, along with passwords associated with it, then you can check by using the free security checker from KnowEm which is trusted and simply queries a plain text database and does not record/log your email address (or any personally identifiable information) about the query.